Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf
18 Chapter 2: Overview of VPN and IPSec Technologies
6What are the two modes of operation for AH and ESP?
7How many Security Associations (SAs) does it take to establish bidirectional IPSec communications between two peers?
8What is a message digest?
9Which current RFCs define the IPSec protocols?
10What message integrity protocols does IPSec use?
11What is the triplet of information that uniquely identifies a security association?
“Do I Know This Already?” Quiz 19
12You can select to use both authentication and encryption when using the ESP protocol. Which is performed first when you do this?
13What five parameters are required by IKE Phase 1?
14What is the difference between the deny keyword in a crypto Access Control List (ACL) and the deny keyword in an access ACL?
15What transform set would allow SHA-1 authentication of both AH and ESP packets and would also provide Triple Data Encryption Standard (3DES) encryption for ESP?
16What are the five steps of the IPSec process?
20 Chapter 2: Overview of VPN and IPSec Technologies
The answers to this quiz are listed in Appendix A, “Answers to the “Do I Know This Already?” Quizzes and Q&A Sections.” The suggestions for your next steps, based on quiz results, are as follows:
•2 or less score on any quizlet—Review the appropriate portions of the “Foundation Topics” section of this chapter, based on Table 2-1. Proceed to the “Foundation Summary” section and the “Q&A” section.
•8 or less overall score—Read the entire chapter, including the “Foundation Topics,” “Foundation Summary” sections, and the “Q&A” section.
•9 to 12 overall score—Read the “Foundation Summary” section and the “Q&A” section. If you are having difficulty with a particular subject area, read the appropriate portion of the “Foundation Topics” section.
•13 or more overall score—If you feel that you need more review on these topics, go to the “Foundation Summary” section, then to the “Q&A” section. Otherwise, skip this chapter and go to the next chapter.
Enabling VPN Applications Through Cisco Products 21
Foundation Topics
Cisco VPN Product Line
1 Cisco products enable a secure VPN
VPNs are typically deployed to provide improved access to corporate resources while providing tighter control over security at a reduced cost for WAN infrastructure services. Telecommuters, mobile users, remote offices, business partners, clients, and customers all benefit because corporations see VPNs as a secure and affordable method of opening access to corporate information.
Surveys have shown that most corporations implementing VPNs do so to provide access for telecommuters to access the corporate network from home. They cite security and reduced cost as the primary reasons for choosing VPN technology and single out monthly service charges as the cost justification for the decision.
VPN technology was developed to provide private communication wherever and whenever needed, securely, while behaving as much like a traditional private WAN connection as possible. Cisco offers a variety of platforms and applications that are designed to implement VPNs. The next section looks at these various products and Cisco’s recommended usage in the deployment of VPNs.
Enabling VPN Applications Through Cisco Products
Through product development and acquisitions, Cisco has a variety of hardware and software components available that enable businesses of all sizes to quickly and easily implement secure VPNs using IPSec or other protocols. The types of hardware and software components you choose to deploy depend on the infrastructure you already have in place and on the types of applications that you are planning to use across the VPN.
This section covers the following topics:
•
•
Typical VPN applications
Using Cisco VPN products
Typical VPN Applications
The business applications that you choose to run on your VPNs go hand in hand with the type of VPN that you need to deploy. Remote access and extranet users can use interactive applications such as e-mail, web browsers, or client/server programs. Intranet VPN deployments are designed to support data streams between business locations.
22 Chapter 2: Overview of VPN and IPSec Technologies
The benefits most often cited for deploying VPNs include the following:
•Cost savings—Elimination of expensive dedicated WAN circuits or banks of dedicated modems can provide significant cost savings. Third-party Internet service providers (ISPs) provide Internet connectivity from anywhere at any time. Coupling ISP connectivity with the use of broadband technologies, such as digital subscriber line (DSL) and cable, not only cuts the cost of connectivity but can also deliver high-speed circuits.
•Security—The cost savings from the use of public infrastructures could not be recognized if not for the security provided by VPNs. Encryption and authentication protocols keep corporate information private on public networks.
•Scalability—With VPN technologies, new users can be easily added to the network. Corporate network availability can be scaled quickly with minimal cost. A single VPN implementation can provide secure communications for a variety of applications on diverse operating systems.
VPNs fall into three basic categories:
•
•
•
Remote access
Intranet
Extranet
The following sections cover these three areas in more detail.
Remote Access VPNs
Telecommuters, mobile workers, and remote offices with minimal WAN bandwidth can all benefit from remote access VPNs. Remote access VPNs extend the corporate network to these users over publicly shared infrastructures, while maintaining corporate network policies all the way to the user. Remote access VPNs are the primary type of VPN in use today. They provide secure access to corporate applications for telecommuters, mobile users, branch offices, and business partners. These VPNs are implemented over common public infrastructures using ISDN, dial, analog, mobile IP, DSL, and cable technology. These VPNs are considered ubiquitous because they can be established any time from practically anywhere over the Internet. E-mail is the primary application used by these connections, with database and office automation applications following close behind.
Some of the advantages that might be gained by converting from privately managed networks to remote access VPNs are as follows:
•Modems and terminal servers, and their associated capital costs, can be eliminated.
•Long-distance and 1-800 number expenses can be dramatically reduced as VPN users dial in to local ISP numbers, or connect directly through their always-on broadband connections.
•Deployments of new users are simplified, and the increased scalability of VPNs allows new users to be added without increased infrastructure expenses.
Enabling VPN Applications Through Cisco Products 23
•Turning over the management and maintenance of the dial-up network to third parties allows a corporation to focus on its business objectives rather than on circuit maintenance.
Although there are many advantages, be aware of the following disadvantages when implementing a VPN solution:
•IPSec has a slight overhead because it has to encrypt data as they leave the machine and decrypt data as they enter the machine via the tunnel. Though the overhead is low, it can impact some applications.
•For users with analog modem connections to the Internet at 40 kbps or less, VPNs can cause a slight reduction to throughput speed because the overhead of IPSec takes time to process the data.
•IPSec is sensitive to delays. Because the public Internet infrastructure is used, there is no guarantee of the amount of delay that might be encountered on each connection leg as the tunneled data traverse the Internet. This should not cause major problems, but it is something to keep in mind. Users might need to periodically reestablish connections if delay thresholds are exceeded.
Remote access VPNs can initiate tunneling and encryption either on the dial-up client or on the network access server (NAS). Table 2-2 outlines some of the differences between the two approaches.
Table 2-2 |
Remote Access Models |
|
|
|
|
|
Model Type |
Characteristics |
|
|
|
|
Client-initiated |
Uses IPSec, Layer 2 Tunnel Protocol (L2TP), or Point-to-Point Tunneling Protocol |
|
model |
(PPTP) for establishing the encrypted tunnel at the client. |
|
|
Ubiquitous. ISP network is used only as a transport vehicle for the encrypted data, |
|
|
permitting the use of multiple ISPs. |
|
|
Data is secured end to end from the point of origin (client) to the destination, |
|
|
permitting the establishment of VPNs over any infrastructure without fear of |
|
|
compromise. |
|
|
Third-party security software packages, such as Cisco’s VPN Client, can be used to |
|
|
provide more enhanced security than system-embedded security software like PPTP. |
|
|
A drawback is that you must install a VPN Client onto every remote user’s system. |
|
|
The initial configuration and subsequent maintenance require additional resources |
|
|
from an organization. |
|
|
|
|
NAS-initiated |
VPNs are initiated at the service provider’s point of presence (POP) using L2TP or |
|
model |
Layer 2 Forwarding (L2F). |
|
|
Eliminates the need for client-based VPN software, simplifying installation and |
|
|
reducing administrative cost. |
|
|
A drawback is that the data circuits from the POP to the client remain unprotected. |
|
|
Another drawback is that you must use the same service provider end to end, |
|
|
eliminating the Internet as a transport vehicle. |
|
|
|
24 Chapter 2: Overview of VPN and IPSec Technologies
Figure 2-2 depicts the two types of remote access VPNs that can be accommodated by Cisco equipment and software.
Figure 2-2 Remote Access VPNs
Client-Initiated
VPN
Home
Office
IPSec - PPTP - L2TP - Tunnel
VPN Cloud
(Internet, IP)
NAS |
L2TP - L2F - Tunnel |
|
Public
Switched
Telephone
Network
NAS-Initiated
VPN
Site-to-Site Intranet VPNs
You can use site-to-site intranet VPNs to connect remote offices and branch offices to the headquarters internal network over a shared infrastructure. These connections typically use dedicated circuits to provide access to employees only. These VPNs still provide the WAN characteristics of scalability, reliability, and support for a variety of protocols at a reduced cost in a flexible manner.
Intranet VPNs are typically built across service provider-shared network infrastructures like Frame Relay, Asynchronous Transfer Mode (ATM), or point-to-point circuits. Some of the benefits of using intranet VPNs include the following:
•Reduction of WAN costs, especially when used across the Internet.
•Partially or fully meshed networks can be established, providing network redundancy across one or more service providers.
•Ease of connecting new sites to the existing infrastructure.
Enabling VPN Applications Through Cisco Products 25
Figure 2-3 shows a diagram of a typical intranet VPN network. The corporation manages the edge routers, providing flexible management and maintenance opportunities over intranet VPNs.
Figure 2-3 Intranet VPNs
Remote
Office
Home
Office
|
|
VPN |
|
VPN |
Internet/IP |
Remote |
|
|
|
VPN |
|
Office |
|
|
|
|
Business-to-Business Extranet VPNs
Business-to-business extranet VPNs are the VPNs that give corporate network access to customers, suppliers, business partners, or other interested communities who are not employees of the corporation. Extranet VPNs use a combination of the same infrastructures that are used by remote access and intranet VPNs. The difference is found in the privileges that are extended to the extranet users. Security policies can limit access by protocol, ports, user identity, time of day, source or destination address, or other controllable factors.
Fixed, business-to-business connections and ubiquitous dial-up or broadband Internet connections are depicted in Figure 2-4.
26 Chapter 2: Overview of VPN and IPSec Technologies
Figure 2-4 Extranet VPNs
Business
Partner
NAS
Public
Switched
Telephone
Network
Dial-Up
Business
Partner
Using Cisco VPN Products
Home
Office
VPN
Internet/IP
VPN
Cisco can supply hardware and software to cover almost every possible VPN requirement. From routers and firewalls for intranet applications to VPN concentrators and clients for remote access applications, this section introduces you to some of the key features of Cisco VPN products.
Enabling VPN Applications Through Cisco Products 27
Cisco VPN Routers
Cisco VPN routers are the best choice for constructing intranet or extranet site-to-site VPNs. These routers use Cisco IOS Software and can be used to deliver multicast, routing, and multiprotocol across the VPN. You can enable quality of service (QoS) on these devices, and the firewall feature option can turn these routers into robust firewalls. Some routers also have integrated DSL and cable modems to provide VPN access to small offices/home offices (SOHOs).
Some VPN routers can be equipped with special modules to handle encryption processing for VPN tunnels. These modules free memory and CPU cycles that can then be used for switching packets, which is the routers’ primary function.
These VPN routers offer the full range of VPN protocols and services. Table 2-3 shows some of the Cisco routers that are available for VPN service and identifies the application where they would most likely be applied.
Table 2-3 Cisco VPN Routers
Site |
Model |
VPN Performance |
Features |
|
|
|
|
SOHO |
Cisco 827H ADSL |
384 kbps |
Fixed configuration |
Remote access VPN |
Router |
Up to 50 tunnels |
Integrated DSL modem |
|
|||
Extranet VPN |
|
|
4-port 10BaseT hub |
|
|
|
Support for EzVPN Remote |
|
|
|
|
SOHO |
Cisco uBR905 Cable |
6 Mbps |
Fixed configuration |
Remote access VPN |
Router |
Up to 50 tunnels |
Integrated cable modem |
|
|||
Extranet VPN |
|
|
4-port 10BaseT hub |
|
|
|
Support for EzVPN Remote |
|
|
|
and Server |
|
|
|
|
SOHO |
Cisco 806 Broadband |
384 kbps |
Fixed configuration |
Remote access VPN |
Router |
Up to 50 tunnels |
Installed behind broadband |
|
|||
Extranet VPN |
|
|
modem |
|
|
|
|
|
|
|
10BaseT Ethernet WAN |
|
|
|
interface |
|
|
|
4-port 10BaseT LAN hub |
|
|
|
Support for EzVPN Remote |
|
|
|
|
SOHO |
Cisco 1710 Router |
3 Mbps |
Fixed configuration |
Remote access VPN |
|
Up to 100 tunnels |
10/100 Fast Ethernet port |
Extranet VPN |
|
|
10BaseT Ethernet port |
|
|
|
Support for EzVPN Remote |
|
|
|
and Server |
|
|
|
|
continues